CVE-2026-5251
MEDIUM
5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
6,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: low
MEDIUM
6,5
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: single
Confidentiality: partial
Integrity: partial
Availability: partial
Description
AI Translation Available
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
913
Improper Control of Dynamically-Managed Code Resources
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Other
Potential Impacts:
Execute Unauthorized Code Or Commands
Varies By Context
Alter Execution Logic
Applicable Platforms
Languages:
Interpreted, Not Language-Specific
915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
IncompleteCommon Consequences
Security Scopes Affected:
Integrity
Other
Potential Impacts:
Modify Application Data
Execute Unauthorized Code Or Commands
Varies By Context
Alter Execution Logic
Applicable Platforms
Languages:
ASP.NET, Not Language-Specific, PHP, Python, Ruby
https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerab…
https://vuldb.com/submit/780607
https://vuldb.com/vuln/354441
https://vuldb.com/vuln/354441/cti